The Israeli Ministry of Justice published a draft bill proposing to amend the Israeli Privacy Protection Law (the “IPPL”). The draft bill proposes to adopt some of the GDPR terminologies and revise the compulsory database registration regime.
The government plans to subsequently introduce two additional draft bills to revamp Israel’s PPL. Bundled with the current draft bill, the three bills would aim to constitute a reform to the outdated law:
- One other draft bill would seek to enhance the supervisory and enforcement powers granted to the Israeli Protection of Privacy Authority.
- Another draft bill is expected to include substantive matters such as expanding the legal bases for data processing beyond mere consent and statutory obligation, broader and up-to-date data subject rights and arrangements reflecting the accountability of data controllers and data processors.
The current draft bill was published just days after the Court of Justice of the European Union (the “CJEU”) invalidated the Privacy Shield mechanism for the transfer of personal data from the EU to the US Amid that judgment the key amendment in the draft bill is the intended curtailment of a database owner’s duty to register a database with the Registrar of Databases (the Israeli privacy regulator at the Israeli Protection of Privacy Authority). Although the draft bill’s explanatory notes concede that the existing compulsory registration regime is ineffective, it would not eliminate the duty. Instead, it would attempt to downscale it to require registration only for purportedly ‘high risk’ databases. Effectively, it would preserve the registration requirement only for databases containing information of 100,000 data subject or more, and which also meet other criteria.
Under the draft bill, the definition of ‘data’ would also be amended to follow the path of the GDPR; the definition of a ‘Holder’ of a database would be amended to include anyone who has access to a database for the provision of services to the owner of the database, similar to the definition of a ‘processor’ under the GDPR
The draft bill also amends the definition of an ‘owner’ of a database to cover anyone who alone or with others, determines the purpose of the processing of personal data, akin to the definition of ‘controller’ under the GDPR. The draft bill also adopts much of the GDPR’s definition for ‘processing’ which would include disclosure, transfer, storage, review, organization, rectification, completion, recovery, and deletion of data.
The draft bill is open to public comments through August 6, 2020.
CLICK HERE to read more about the draft bill (English)
CLICK HERE to read the proposed draft bill (in Hebrew).